[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#514951: [checks/binaries] check the output of strings for typos and mistakes

Russ Allbery wrote:

> Raphael Geissert writes:
>> Russ Allbery wrote:
> 
>>> You have to run strings -a if you're going to implement that, at which
>>> point I think chances are pretty high that you're going to get false
>>> positives from the spell checking part.
> 
>> Not true; I've already tried without -a and successfully matched the zlib
>> version string.
> 
> Hm, you hadn't mentioned that you were going to take that approach, and
> that isn't the approach laid out in that bug report.  

Actually it is:

> It should scan .deb files for ELF
> object files which match one of the following Perl regexps:
> 
>   /inflate ([0-9][ 0-9a-zA-Z.\-]{1,100}[0-9a-zA-Z.\-])/
>   /deflate ([0-9][ 0-9a-zA-Z.\-]{1,100}[0-9a-zA-Z.\-])/

$ strings /usr/bin/rsync | egrep 'inflate ([0-9][ 0-9a-zA-Z.\-]{1,100
[0-9a-zA-Z.\-])'
 inflate 1.2.3 Copyright 1995-2005 Mark Adler

> The concern I have 
> there is false negatives on embedded versions of zlib that don't happen to
> include the static version string.  It seems like a fairly natural thing
> to get rid of, and slightly modified versions of zlib are a common
> problem.  What specific string are you looking for?
> 
> We could try using both methods against the entire archive and make sure
> they find the same thing.
> 
>> I checked many packages and didn't find any false positive. In any case,
>> it could be implemented as an experimental check.
> 
> I'm okay with implementing it as an experimental check *if* we don't need
> to use strings -a, but I'm not convinced that's the case.
> 

Demo above. And diff of the output of strings and strings -a
on /usr/bin/rsync:

2030a2031,2117
> GCC: (Debian 4.3.0-5) 4.3.1 20080523 (prerelease)
> GCC: (Debian 4.3.0-5) 4.3.1 20080523 (prerelease)
> GCC: (Debian 4.3.1-7) 4.3.1
> GCC: (Debian 4.3.1-7) 4.3.1
[...]
> GCC: (Debian 4.3.1-7) 4.3.1
> GCC: (Debian 4.3.0-5) 4.3.1 20080523 (prerelease)
> GCC: (Debian 4.3.1-7) 4.3.1
> GCC: (Debian 4.3.0-5) 4.3.1 20080523 (prerelease)
> .shstrtab
> .interp
> .note.ABI-tag
> .gnu.hash
> .dynsym
> .dynstr
> .gnu.version
> .gnu.version_r
> .rel.dyn
> .rel.plt
> .init
> .text
> .fini
> .rodata
> .eh_frame_hdr
> .eh_frame
> .ctors
> .dtors
> .jcr
> .dynamic
> .got
> .got.plt
> .data
> .bss
> .comment

IOW: nothing useful is obtained from -a.

> (Basically, I just don't think this check is particularly important.  It
> has some minor benefits, but I think it's much less important than
> accurately detecting embedded copies of zlib.)
> 
>> By the way, pusling mentioned on IRC that we should take care of telling
>> the maintainer how to correctly fix the mistakes without fuzzing the
>> translations. For this all is needed is fix the mistakes in the msgid's
>> of the .po files as well.
> 
> I don't believe anything that Lintian currently spell-checks is
> translated. 

He was talking about the new check for spell checking binaries.

> I don't remember off-hand why we don't spell-check debconf 
> templates.  I have some vague memory that it was for a specific reason,
> not just because no one had thought of it, but I don't recall the reason.
> 

No idea.


Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
Reply to: